Hacking forensics

The process of detecting hacking attacks and extracting evidence to report the event and conduct audits to prevent similar future attacks (if possible). It includes techniques for detecting and reverse engineering malware and advanced persistant threats, like Finfisher.

More general and with an eye on practicality, without determining the nature of the incident, there is no way of knowing how to protect the system and its data better. Simply reinstalling the system from “clean” media or from a known-good image and placing that system back into its environment may lead to it being compromised all over again.

The EC council started another certification, CHFI, that can be useful for organising one's thoughts on the means and methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information known as computer data recovery, and identifying an intruder’s footprints. Following those pigeon holes, these pages lead to further notes and vids.


Preparations

Knowledge about platforms, operating systems, abstraction layers, virtualisation, and on what devices and hardware to gather for building a flexible digital forensics lab, where maintenance doesn't take up all time and energy.

More ...

Recovering files and partitions

The different target sources where files live, how to recover data files and what tools to use for deleted or lost files emptied from the Recycle Bin, after a hard disk crash, from a hard drive that has been reformatted or repartitioned, financial records and other documents, from a USB drive, memory card, memory stick, camera card, zip disk, floppy disk, or other storage media, files with the original date and timestamp and finding partitions automatically, even if the boot sector or FAT has been erased or damaged.

More ...

Log correlation

Capturing and analysing security event logs, application event logs, system event logs and other logs.

More ...

Hard disks and file systems

Types of hard devices, hard drive speed and capacity, the different types of files systems, logical structures, recovering deleted files from hard disks, analysing file systems.

More ...

Digital tampering

Different types of images, compression, imaging tools, image manipulation and recovery.

More ...

Network forensics

Capturing packets of a network, analysing incoming and outgoing packets, filtering the network, capturing network traffic and analysing it.

More ...

Windows forensics

Volatile vs. non-volatile information, profiling a system, viewing system information, memory processes and disk raw sectors, verifying integrity of files, creating drive images, recovering deleted files and viewing cookies, scanning for pictures, etc.

More ...

Steganalysis

Using steganographic methods to find images with steganographic content, detecting the program used to hide the message and the location of the hidden content, analysing image file headers, reconstructing damaged file headers, identifying image file fragments and image file formats, recovering photo evidence from raw file.

More ...

Wireless attacks

Detecting wireless rogue access points, cracking WEP, capturing wireless network traffic and analysing it.

More ...

Mobile forensics

More ...

Data acquisition

In the booting process, temporary files can be deleted, stamps can be modified, data altered, and new files can be created to the drive using the boot process. Investigating, for example, NTFS streams from hard drives, hidden text strings and extracting hidden content from hard drives.

More ...

Application password crackers

Recovering deleted email messages, attachments and message contacts, tracking sender IP address, tracing an email to its true geographical source, collecting Network (ISP) and Domain Whois information for any email traced.

More ...

Email forensics

Recovering deleted email messages, attachments and message contacts, tracking sender IP address, tracing an email to its true geographical source, collecting Network (ISP) and Domain Whois information for any email traced.

More ...

Malware analysis

Determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, trojan horse, rootkit, or backdoor.

More ...